Abstract

Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability . And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than at worst, where is the number of fault injections such that and is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers.

1. Introduction

CAESAR [1] is a new competition calling for authenticated encryption schemes. Its purpose is to find authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption. In total, 57 candidates were submitted to the CAESAR competition, and after the challenge of two rounds, 15 submissions have been selected for the third round. As one of them, ACORN is a lightweight stream cipher based authenticated encryption cipher submitted by Hongjun [2–4]. The cipher consists of a simple binary feedback shift register (FSR, for short) of length 293 and aims to protect up to bits of associated data (AD) and up to bits of plaintext and to generate up to a 128-bit authentication tag by using a 128-bit secret key and a 128-bit initial value (IV).

There are some attacks against ACORN. Meicheng et al. showed the slid properties of ACORN v1 and used it to recover the internal state of ACORN v1 by means of guess-and-determine and differential-algebraic technique [5]. But the attack was worse than a brute force attack. Chaigneau et al. described an attack that allowed an instant key recovery when the nonce was reused to encrypt a small amount of chosen plaintexts [6]. Johymalyo and Sarkar kept the key and IV unchanged, then modified the associated data, and then found that the associated data did not affect any keystream bits if they had a small size [7]. Salam et al. investigated cube attacks against both ACORN v1 and v2 up to 477 initialization rounds which was far from threatening the real-life usage of the cipher [8]. Salam et al. developed an attack to find a collision of internal states when the key was known [9]. Frédéric et al. claimed that they developed practical attacks to recover the internal state and secret key, which were much more expensive than the brute force attack [10]. Dibyendu and Mukhopadhyay gave some results on ACORN [11]; one of them was that they found a probabilistic linear relation between plaintext bits and ciphertext bits, which held with probability . The bias was too small to be tested. The other result was that they could recover the initial state of the cipher with complexity approximately equalling , which was done under an impractical assumption. The designer gave the comments on the analysis of ACORN in (https://groups.google.com/forum/#!topic/crypto-competitions/dzzNcybqFP4), which show that some of the attacks are not really attacks. Since fault differential attack is one of side channel attacks working on physical implementations, it is interesting to apply side channel cryptanalysis to a cryptographic algorithm that is being used or will be used in reality. In [12], the authors shows that with 9 faults experiments, they can recover the initial state. However, the length of keystream bits they use is 1200, which mean that the optimizing SAT solver they used can solve the equations with very high degrees, as the equations they used are output functions and the feedback functions. So far, there are not any results of fault differential attacks on ACORN. In this paper we introduce a fault attack on ACORN v2.

Fault attack is one of the most powerful tools to retrieve the secret key of many cryptographic primitives due to the work of [13]. In [14], Hoch and Shamir first introduced the fault attack on stream ciphers. They showed that a typical fault attack allows an attacker to inject faults by means of laser shots/clock glitches [15, 16] into a device initialized by a secret key and change one or more bits of its internal state. Then he or she could deduce some information about the internal state or secret key by analyzing the difference between the faulty device and the right device. A number of recent works have shown that stream ciphers are vulnerable against fault attacks. In 2008, Michal and Bohuslav showed a differential fault attack on Trivium in [17]. In 2011, Mohamed et al. improved Michal and Bohuslav’s attack by a SAT solver in [18]. In 2009, Castagnos et al. gave a fault analysis of Grain-128 by targeting the LFSR in [19]. Karmakar and Chowdhury also showed an attack of Grain-128 but by targeting the NFSR in [20]. Later on, Banik et al. presented a differential fault attack on the Grain family [21, 22]. In 2013, Banik and Maitra evaluated the security of MICKEY 2.0 against fault attacks in [23], and in 2015, Banik et al. gave its improvement in [24].

In this work we present a differential fault attack on ACORN v2. As there are not any practical attacks against the security of the second version of ACORN so far, the attack present in our paper is still of interest. Our basic idea is coming from the signature based model proposed in [19]. The main difference is that we use a new method to compute the signature vectors which are differential strings in our paper. Omitting the 0 components, we represent the differential string only as the sequence of positions where their corresponding components are either 1 or nonconstant functions on the initial state. We have added these statements in our paper. Our attack is based on a general fault model where a fault is injected into the initial state of ACORN v2 randomly, and our main idea is based on the observation that the first 99-bit keystream of ACORN v2 can be expressed as linear or quadratic functions of the initial state, which helps us retrieve enough linear equations to recover the initial state. Our attack consists of two main steps: fault locating and equation solving. At the first step, after a fault is injected into the initial state randomly, we can locate it with probability by a 99-bit differential string between the error and correct keystream bits. If the string cannot determine the fault location uniquely, then it can determine at most 20 optional fault locations. Subsequently, some improvements are provided to increase the probability of fault locating and reduce the number of optional fault locations, including keystream extension, high probability priority, and making-the-most-use-of-things. At the second step, we give two methods of solving the equation system retrieved at the first step: linearization and guess-and-determine. The time complexity of our attack is not larger than at worst, where is the number of fault injections such that and is the time complexity of solving linear equations.

The rest of this paper is organized as follows. In Section 2 a brief description of ACORN v2 is provided. In Section 3 we present a fault attack on ACORN v2 and further give a forgery attack on it. Finally, Section 4 concludes the paper.

2. Description of ACORN v2

We will recall ACORN v2 briefly in this section; for more details one can refer to [3]. Since our attack does not involve the procedures of the initialization, the process of associated data, and the finalization, here we do not intend to introduce them and just restate the encryption procedure briefly.

Denote by the initial state of ACORN v2, that is, the state of the FSR after initialization and immediately before the keystream bits are outputted, and the plaintext. There are three functions used in the encryption procedure of ACORN v2: the feedback function , the state update function , and the filter function . As is implied by its name, the feedback function mainly involves in the feedback computation of the FSR and is defined as

Introduce intermediate variables (): Then the state update function can be described as It is easy to check that is invertible on when is fixed. The filter function is used to derive a keystream and defined as

At each step of the encryption procedure, one plaintext bit is injected into the state of the FSR, and the ciphertext is got by XOR . The pseudocode of the encryption procedure is given as follows: the bit length of the plaintext;for from 0 to doend for

3. Fault Attack on ACORN v2

Before introducing our fault attack on ACORN v2, we first give an outline of the fault attack model described in [19].

We assume that an attacker can access the physical device of a stream cipher and knows the IV and the keystream . The goal of the attacker is to recover the key or forge a valid tag for plaintext. In our fault attack, the following privileges are required.(1)The attacker has the ability to reset the physical device with the original Key-IV and restart cipher operations multiple times with the same plaintext.(2)The attacker can inject a fault into the initial state randomly before the encryption procedure but not choose the location of fault injection.

Our attack contains two main steps: fault locating and equation solving. At the first step, we will demonstrate how to determine the fault location and retrieve a system of equations on the initial state, and at the second step, we will exploit how to recover the initial state from this system of equations. Once the initial state is recovered, the forgery attack can be executed easily.

3.1. Fault Locating

In this section we will discuss how to locate a fault after it is injected into the initial state of the FSR. We first introduce a fundamental fault locating method and then provide several improvements.

3.1.1. Fundamental Fault Locating Method

Let be the initial state of the FSR and the plaintext. Denote by the closed integer interval from to for two integers and , where . Let and be the correct keystream and the error keystream generated by a faulty initial state at location , respectively, where . We define a 99-bit differential string whose th element satisfies , where . Here we just consider 99-bit differential keystream since they all can be represented as linear or quadratic functions of . When , the first feedback bit of degree 2 will come to 193rd position; the degree of will be 4 and the degree of the differential keystream bit may be 3. So when , the degrees of the differential keystream bits will not be larger than 2. There are three steps to determine the fault location.

Firstly, we get all possible for . Let which is the set of all locations that can be involved in or directly. For any , we can get by changing one bit , whose component is 0, 1, or a function on ,. When and , the new differences that are not the differences caused by shifting are introduced when shifts to the locations in . So for any , can be got directly from some by shifting or performing a linear transformation on , where . Omitting the components, we represent only as the sequence of positions where their corresponding components are either 1 or nonconstant functions on . To better understand the method, an example is given.

Example 1. When is changed, we can get where means consecutive 0s, and Then omitting the components, we rewrite as where () means that the position is always 1.

For any , it is easy to obtain by shifting . For example, Repeating the above process (see Algorithm 1),we can obtain all , which are listed in Table 1.

Table 1: Δ,.

Algorithm 1: Obtain , and .

Secondly, we divide into 99 categories denoted by according to the subscript satisfying and . For example, contains whose first component is 1. It is noticed that, for , it may occur in ,, and since its first 1 may occur at position ,, and ( always holds).

Finally, for a given , we first determine which category it belongs to according to the position of its first 1. Then by comparing other locations of 1 appearing in , we can determine all possible locations of a fault. In a very small number of cases, a single differential string can correspond to more than one fault location. Because of this, we cannot always determine the fault location uniquely.

Running through all possible , we find that the proportion of strings that cannot determine the fault location uniquely is about , and for each nonzero string, the number of optional fault locations is at most . So for a given string , on average, we can determine the fault location uniquely with probability 97.08% (Table 2).

Table 2: Δ in .

3.1.2. Several Improvement Strategies

In order to decrease the proportion of strings that cannot determine the fault location uniquely and reduce the number of optional fault locations, here we provide several improvement strategies.

(i) Keystream Extension Strategy. Extending keystream is a very valid method of increasing the proportion of strings determining the fault location uniquely. The longer the keystream available to us, the higher the probability of determining the unique fault location. We want to guarantee that the number of fault location candidates is less than or equal to 3. Running through the lengths of the keystream from 99 bits to 167 bits, the result shows that it is enough to choose 163 bits. We find that the proportion of strings that cannot determine the fault location uniquely depends mostly on the fault locations in . One of the main reasons is that there is not any components of the differential strings that can always be 1 when the fault locations belong to . This is because the diffusion ability of the last 63 register bits is stronger than that of the first 230 register bits.

Here we extend the keystream to at most 167 bits and divide all possible fault positions into two parts: and . When a fault is injected in , where , we can get an approximate distribution of differential strings on the numbers of optional fault locations by Algorithm 2, seen in Table 3. It is found that when the length of keystream is extended to 163 bits, the proportion of strings not locating a fault is decreased to and the number of optional fault locations is reduced to at most 3. We make a similar process for a fault location in , seen in Table 4. It is seen that when the keystream length reaches 163 bits, the proportion of all zero strings can almost reduce to 0, but the proportion of the strings not locating a fault only decreases to 14.45%. How to use the strategy in our fault locating method will be described in the improved fault locating method.

Table 3: The distribution of the strings (fault injected in ,).

Table 4: The distribution of the strings (fault injected in ,).

Algorithm 2

(ii) High Probability Priority Strategy. Here we assume that the initial state of the FSR is random and uniformly distributed. For a given string , we find that different fault location candidates appear with different probabilities. For example, when we get since each candidate in needs to satisfy , where and , by the expression of , it is known that takes with probability , but with probability (the probabilities of all candidates in are listed in Table 5). For each candidate , we prefer to choose with higher probability and call it high probability priority strategy.

Table 5: Optional fault locations of .

(iii) Cross-Referencing Strategy. Cross-referencing is a common maximized way. Here we adopt it to decrease the proportion of strings not locating a fault. Indeed, there are some inherent relations among the strings got from faults at distinct locations. For a new string , it is helpful to make the most use of knowledge retrieved from old strings to locate a new fault. The following three observations on the filter function will help us to execute the above strategy.

Observation 1. For any , by the first nonconstant component of , we have

Observation 2. For any , by the second nonconstant component of , we have .

Observation 3. For any , by the third nonconstant component of , we have .

For example, when we get , candidates are listed in Table 5. If we have located the fault at and which satisfy , we can exclude the candidate . Because if the candidate is the fault location, should be 1.

3.1.3. Improved Fault Locating Method

Here we present an improvement of the fundamental fault locating method by means of the above optimized strategies. For a given 99-bit , we first determine which category it belongs to according to the position of its first 1. Then by comparing other locations of 1 appearing in , on average, we can locate the fault with probability 97.08%. If cannot locate the fault, we adopt the keystream extension strategy and extend the keystream to at most 163 bits. After this step, the fault has been located with probability 99.95%. If cannot still locate the fault, we will first use the making-the-most-use-of-things strategy to exclude some candidates and then use the high probability priority strategy to guess the right fault location. At last we can locate the fault with probability almost 1. For more detail, see Algorithm 3.

Algorithm 3

3.2. Recovering the Initial State

Once a fault is located, we will retrieve some equations on the initial state . When the number of equations is enough, we can recover from them. Below we show how to retrieve equations and provide two equation solving methods: linearization and guess-and-determine.

3.2.1. Equation Retrieving

As shown in fundamental fault locating method, we just consider 99-bit differential keystream since they all can be represented as linear or quadratic functions of . We first get differential equations when fault is injected in , where , When and , the main idea to retrieve differential equations is to shift or perform the inversion of the linear transformation on , where . For more detail, one can see Example 1. Note that the inversion of the linear transformation will not lead to the transformation of a linear function to a nonlinear function but increase the number of terms in the function (ignoring possible cancellations due to the exclusive OR operation).

For each fault location , where , we have stored the corresponding equations containing both linear and quadratic equations. When one fault experiment is executed, we first judge the fault location and then find the corresponding equations according to the differential string. In order to recover the initial state, next, we will show two methods to solve the equations.

3.2.2. Linearization Method

Our basic idea is to retrieve as many linear equations as possible and then solve the system of linear equations to get . At first, one observation of the functions used in ACORN v2 is given.

Observation 4. Let where ,, and are linear functions of the initial state. Then we have If we have equations of the forms (14), we can get linear equations with probability .

According to the expressions of and the functions used in ACORN v2, where and , we get the following propositions:(P1)The first 58-bit keystream without fault injection are quadratic functions of the initial state and the quadratic terms are of the forms (14). So we can get 58 linear equations with probability (P2)Consider that can be expressed as quadratic functions of . There are two forms of quadratic functions which are and , where ,,,,, and are linear functions of . According to Observation 4, the term can be linearized as with probability and can be linearized as 0 or by guessing the value of with probability . So (17) can be linearized as or with probability and provide two linear equations. For quadratic function of form , if , we know that and . If , we guess the values of and with probability . So by guessing the value of and , we can get 2 linear equations with probability (P3)For all , we calculate the numbers of the quadratic functions of form (17) and . On average, the numbers of linear equations, quadratic equations of form (17), and quadratic equations of form are 2.7, 3.3, and 1.2 for each , respectively. According to (P2), we can get linear equations and 3.3 simple quadratic equations with probability

Based on the above observations, we can retrieve enough linear equations to recover . By (P1), about 58 linear equations can be retrieved with probability , and by (P3), about 11.7 linear equations with probability for each fault. Let be the number of fault experiments. In order to guarantee the probability of recovering is larger than , should satisfy that is, . The remaining linear equations will be given by new fault experiments. Thus the total number of fault experiments is Replace by in ; the probability of recovering is . In particular, when , fault experiments are needed and the probability is . When , fault experiments are needed and the probability is . As fault injection is hard work and each fault experiment would damage the device, we hope the number of fault experiments required should be as small as possible. fault experiments is the smallest number in our attack.

Below we roughly estimate the time complexity of recovering with probability 1. When fault experiments are carried out, denote by the random event of recovering . Then follows a binomial distribution with parameters ( is the set of natural numbers) and , denoted by . If the expected value of is 1, the expected value of is about , where . Actually, the value of is smaller than . As shown in Observation 4, if the first experiment is failed with probability , the success probability of the next experiment becomes . So, the time complexity of recovering with probability 1 is smaller than , where is the time complexity of solving linear equations and is the number of fault experiments such that . By the birthday paradox, there is a high chance of randomly chosen locations being repeated by the time experiments are performed, so the number of actual experiments required to obtain distinct fault locations will be rather higher than .

3.2.3. Guess-and-Determine Method

Here we discuss the complexity of solving the above equation system by guess-and-determine method. For one fault experiment, on average, we can get 4.5 quadratic equations including 1.2 quadratic equations of form and 2.7 linear equations as shown in (P2). The quadratic function of form can be regarded as one linear equation. For quadratic function of form , it is expected to obtain 1 linear equation. If , we know that and . If , we guess the values of and with probability . So by guessing the value of and , we can get 2 linear equations with probability So for one fault experiment, on average, we can get 3.3 linear equations and 3.3 quadratic equations. So we can get 295 equations with 160 linear equations with 41 fault experiments. By guessing 67-bit value, the initial state can be recovered. The time complexity of recovering is , where is the time complexity of solving linear equations.

3.2.4. Implementation and Verification

To prove the validity of our guess-and-determine method, we experimentally test it on a shrunk cipher with similar structure and properties. More specifically, we built a small stream cipher according to the design principles used for ACORN but with a small state of 31 bits. We then implemented our attack to recover the initial state.

Denote by the initial state of the toy cipher and the plaintext. The feedback function is defined asIntroduce intermediate variables (): Then the state update function can be described as The filter function is used to derive a keystream and defined asThe encryption procedure of the toy cipher is the same as that of ACORN v2.

Here we just consider the first 9-bit keystream, since the first 9-bit differential keystream can be represented as linear or quadratic functions of . Statistic shows that for one fault experiment, on average, we can get 2.3 linear equations and 1.5 quadratic equations. So with 9 fault experiments, we can get 34 equations where there are 21 linear equations. By guessing 5-bit value, the initial state can be recovered. Based on heuristic, the time complexity of recovering is , where is the time complexity of solving linear equations. Next, we will provide some experimental results.

Assume that the initial state is and the 9 fault locations have been located which are Totally, we can get 20 linearly independent linear equations and 6 quadratic equations with respect to the initial state. By guessing the values of , and , the 6 quadratic equations can be simplified as linear equations and provide 4 new quadratic equations. Using Gaussian elimination method and guessing one bit more, the 26 linear equations and 4 quadratic equations can be solved easily. The time complexity is the sum of the Gaussian elimination about 26 linear equations and solving the 4 quadratic equations with 4 variables. There are some differences in the value of comparing to our estimation. So the time complexity in the realistic attack may be higher than that of our estimation. We also try several other fault locations and the result shows that if the linearly independent equations are enough, we can always recover the initial state. Of course, if the linearly independent equations are not enough, we need to carry out more fault experiments.

3.3. Forgery Attack

Once the initial state of ACORN v2 is recovered, we can encrypt any message to get the ciphertext and generate a valid tag for it. In other words, we can forge tags for any plaintext. It should be pointed out that our attack is suitable to ACORN v1 as well. Due to the invertibility of the initial process in ACORN v1, we can further recover its secret key.

4. Conclusion

In this work we present a fault attack on ACORN v2 which is one of the second round candidates of CAESAR. Our results show that we can locate almost all faults and recover the initial state with at least 41 fault experiments, whose time complexity is , where is the time complexity of solving linear equations.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by National Natural Science Foundation of China (Grant no. 61379139 and Grant no. 61572491) and the “Strategic Priority Research Program" of the Chinese Academy of Sciences (Grant no. XDA06010701).